b'Memorandum from the Office of the Inspector General\n\n\n\nJune 13, 2007\n\nJohn E. Long, Jr., WT 7B-K\n\nREQUEST FOR FINAL ACTION \xe2\x80\x93 AUDIT 2007-10997 \xe2\x80\x93 REVIEW OF TEMPORARY SHARES\nFOR SENSITIVE INFORMATION\n\n\n\nAttached is the subject final report for your review and final action. Your written comments,\nwhich addressed you management decision and actions planned, have been included in the\nreport. Please notify us when final action is complete.\n\nInformation contained in this report may be subject to public disclosure. Please advise us of\nany sensitive information in this report which you recommend be withheld.\n\nIf you have any questions, please contact Phyllis R. Bryan, Project Manager, at (865) 632-4043\nor Jill M. Matthews, Director, Information Technology Audits, at (865) 632-4730. We appreciate\nthe courtesy and cooperation received from your staff during the audit.\n\n\n\n\nBen R. Wagner\nAssistant Inspector General\n (Audits and Inspections)\nET 3C-K\n\nPRB:SDB\nAttachment\ncc (Attachment):\n      Steven A. Anderson, SP 5A-C\n      William R. Brandenburg, Jr., MP 2B-C\n      Maureen H. Dunn, WT 6A-K\n      R. Clay Eckles, CTR 1P-M\n      Frank A. Foster, OCP 2C-NST\n      Nicholas P. Goschy, Jr., WT 6A-K\n      Tom D. Kilgore, WT 7B-K\n      Stacie A. Martin, MP 3C-C\n      Richard W. Moore, ET 4C-K\n      E. Wayne Robertson, MP 3B-C\n      Anthony D. Smith, WT 5A-K\n      OIG File No. 2007-10997\n\x0cOffice of the Inspector General   Audit Report\n                                  To the Chief Administrative\n                                  Officer and Executive Vice\n                                  President, Administrative\n                                  Services\n\n\n\n\nREVIEW OF TEMPORARY\nSHARES FOR SENSITIVE\nINFORMATION\n\n\n\n\nAudit Team                                     Audit 2007-10997\nPhyllis R. Bryan                                  June 13, 2007\nBrian S. Childs\nKyle B. Cox\nMelissa M. Neusel\nSarah E. Tipton\nStephanie R. Turner\n\x0cOffice of the Inspector General                                                                 Audit Report\n\n\n\n\nTABLE OF CONTENTS\nEXECUTIVE SUMMARY.......................................................................... i\n\nBACKGROUND ......................................................................................... 1\n\nOBJECTIVES, SCOPE, AND METHODOLOGY ............................... 1\n\nFINDINGS ................................................................................................... 2\n    PII AND BUSINESS SENSITIVE INFORMATION.................................... 2\n\n    NON-BUSINESS INFORMATION ............................................................ 3\n\n    MANAGEMENT OF TEMPORARY SHARES .......................................... 4\n\n    NOTIFICATION POLICY .......................................................................... 4\n\n    INFORMATION SECURITY POLICY ....................................................... 4\n\nRECOMMENDATIONS ........................................................................... 5\n\n\n\nAPPENDIX\nMEMORANDUM DATED JUNE 8, 2007, FROM JOHN E. LONG, JR., TO\nBEN R. WAGNER\n\n\n\n\nAudit 2007-10997\n\x0cOffice of the Inspector General                                                               Audit Report\n\n\nEXECUTIVE SUMMARY\nWe performed an audit of Tennessee Valley Authority (TVA) temporary share\ndrives to determine the extent to which personally identifiable information\n(PII)i and/or other sensitive information is being stored on these drives.\nTemporary share drives are provided at geographic locations around the\nValley and are used by a broad spectrum of TVA employees to support the\ntransfer and sharing of extremely large data files. Information Services (IS)\nidentified 20 temporary shares; however, we were only able to access 17 of\nthe shares which were generally available to all users within TVA, including\ncontractors with TVA IDs.\n\nIn summary, we determined:\n\n\xe2\x80\xa2     PII (32 instances) and other sensitive information (69 instances) were not\n      properly secured thus exposing the information to anyone with a TVA\n      network ID. The lack of protection of this information is a violation of TVA\n      policy and could result in a violation of the Privacy Act.\n\n\xe2\x80\xa2     Shares were being used to store non-business related information (four\n      instances) which included games, personal pictures, and other\n      documents.\n\n\xe2\x80\xa2     TVA does not have a policy or guidance for management of temporary\n      shares to address the proper use of the share (i.e., types of information\n      that can be stored, the unsecured nature of the share), responsibilities of\n      the users, and maintenance (i.e., maximum time frame for retention of\n      files on the share).\n\n\xe2\x80\xa2     TVA Standard Programs and Processes (SPP) 12.9 on Computer\n      Security and Privacy Incident Response, which includes procedures for\n      notifying TVA employees and their dependents, contractors, and retirees\n      and their dependents when PII has potentially been compromised, has\n      yet to be implemented.\n\n\xe2\x80\xa2     Two business practice drafts (1) TVA Information Security Policy, which\n      describes classification and protection of information, and (2) Acceptable\n      Use of Information Resources (Rules of Behavior), which explicitly\n      prohibits storage of non-TVA information on TVA servers, have yet to be\n      implemented.\n\n\ni\n    Personally identifiable information means any information about an individual maintained by an\n    agency, including, but not limited to, education, financial transactions, medical history, and criminal\n    or employment history and information which can be used to distinguish or trace an individual\xe2\x80\x99s\n    identify, such as their name, social security number, date and place of birth, mother\xe2\x80\x99s maiden name,\n    biometric records, etc., including any other personal information which is linked or linkable to an\n    individual.\n\nAudit 2007-10997                                                                                     Page i\n\x0cOffice of the Inspector General                                       Audit Report\n\n\nAs instances of questionable items were found, we notified IS personnel who\ncoordinated with the Organization Security Officer (OSO) or the person who\nput the information on the share to determine the appropriate level of\nsecurity to be assigned to the item. The instances identified were put on the\nshares by individuals across multiple TVA organizations. The high risk items\nlike PII information were immediately secured by IS. The determination of\nthe sensitivity of some medium to low risk items is still underway by IS and\nthe OSO.\n\nWe recommend Chief Administrative Officer and Executive Vice President,\nAdministrative Services, ensure:\n\n1. OSOs and IS continue the review of the identified items and restrict\n   access as needed.\n\n2. The draft procedure TVA-SPP-12.9 on Computer Security and Privacy\n   Incident Response is implemented.\n\n3. For PII data exposures identified in this audit, general and/or individual\n   notifications are made regarding the type of data exposed and TVA\n   management\xe2\x80\x99s assessment of risk regarding the data exposures.\n   Individual notice should be given whenever PII, such as social security\n   numbers or other information which could be used in identity theft, is\n   disclosed.\n\n4. The draft business practices on Information Security Policy and\n   Acceptable Use of Information Resources and other guidance on the use\n   of temporary shares are implemented or developed and all TVA\n   employees and contractors are trained on these policies.\n\nManagement\xe2\x80\x99s Response \xe2\x80\x93 TVA management agreed with the findings and\nprovided completed and planned actions to implement the recommendations\n(see the Appendix for TVA comments). In summary, TVA has completed or\nplans to complete (1) a review of the remaining temporary shares;\n(2) implementation of the draft procedure TVA-SPP-12.9 on Computer\nSecurity and Privacy Incident Response; (3) general notification of the\nincidents, including employee and, as necessary, public notification; and\n(4) implementation of draft business practices on Information Security Policy\nand Acceptable Use of Information Resources, associated training and\nprovide guidance on use of temporary shares.\n\nRegarding individual notification, TVA management is (1) awaiting the results\nof its risk assessment before making a decision on individual notifications\nand (2) informing the contractor of the PII exposure of their database and\nrequesting the contractor to advise TVA regarding any notifications the\ncontractor makes.\n\n\nAudit 2007-10997                                                           Page ii\n\x0cOffice of the Inspector General                                        Audit Report\n\n\nAuditor\xe2\x80\x99s Response \xe2\x80\x93 We concur with management\xe2\x80\x99s proposed actions for\nrecommendations 1, 2, and 4. Regarding recommendation 3, we believe\nTVA\xe2\x80\x99s decision to perform a risk assessment to determine the level of\nnotification required is consistent with OMB guidance. We recommend TVA\n(1) issue a general notification quickly and (2) expedite the risk assessment\nprocess to ensure individual notification, if warranted, is performed in a timely\nmanner. The OIG will conduct a follow-up review after TVA completes its\nrisk assessment process. The review will determine whether TVA\xe2\x80\x99s decision\nregarding individual notification(s) was reasonable.\n\n\n\n\nAudit 2007-10997                                                           Page iii\n\x0cOffice of the Inspector General                                        Audit Report\n\n\nBACKGROUND\nIn March 2007, Information Services (IS) notified the Office of the Inspector\nGeneral (OIG) of an incident in which Performance Review and Development\n(PR&D) forms had been stored in a temporary share on an unsecured\nserver. The PR&D forms identified the name of the person and employee ID\nbut did not contain social security numbers. This information was available\non a temporary share drive for approximately two hours. The OIG initiated an\naudit (2007-039T) to review the PR&D data exposure. In the course of that\naudit, we identified the potential for similar data exposures on other\ntemporary share drives.\n\nTemporary share drives are provided at geographic locations around the\nValley and are used across Tennessee Valley Authority (TVA) organizations\nby TVA employees and contractors to support the transfer and sharing of\nextremely large data files. These share drives are generally accessible to all\nusers within TVA, including contractors with TVA IDs.\n\n\nOBJECTIVES, SCOPE, AND METHODOLOGY\nThe objective of this audit was to determine the extent to which personally\nidentifiable information (PII) and/or other sensitive information is being stored\non temporary share drives. The scope of the audit covered 20 temporary\nshares identified by IS; however, we were only able to access 17 of the\nshares.\n\nTo accomplish our objective, we:\n\xe2\x80\xa2   Obtained a listing of the 20 temporary shares from IS.\n\xe2\x80\xa2   Accessed each share and opened documents to determine if they\n    contained any PII, TVA sensitive information, contractor proprietary\n    information, or any other questionable information. We did not perform a\n    100 percent review of all the nuclear shares because the five nuclear\n    shares contained almost 2.2 million files. We stopped our review of these\n    shares after finding numerous instances of PII or business sensitive\n    information and recommended the Organization Security Officers (OSO)\n    further review the shares.\n\xe2\x80\xa2   Ranked each item as high, medium, or low risk and provided the\n    information to IS for coordination and disposition with OSOs. In general,\n    we used the following criteria for ranking the items:\n\n    -    High -- Files containing PII, such as social security numbers and\n         names or other identifying information, or Nuclear Safeguards\n         Information.\n\nAudit 2007-10997                                                             Page 1\n\x0cOffice of the Inspector General                                       Audit Report\n\n\n    -    Medium -- Files potentially containing business sensitive information\n         or labeled \xe2\x80\x9csensitive,\xe2\x80\x9d \xe2\x80\x9cproprietary,\xe2\x80\x9d or other wording indicating\n         distribution should be limited.\n    -    Low -- Files which appeared to be personal information (pictures,\n         documents, etc.)\n\xe2\x80\xa2   Reviewed Communications Practice 8, Accessing and Using TVA\n    Computing Resources; the drafts of two new business practices, TVA\n    Information Security Policy and Acceptable Use of Information Resources\n    (Rules of Behavior); and the draft of new Standard Programs and\n    Processes (SPP), Computer Security and Privacy Incident Response.\n\nFieldwork was conducted in April 2007. This audit was performed in\naccordance with generally accepted government auditing standards.\n\nFINDINGS\nIn summary, we determined (1) PII and other sensitive information were not\nproperly secured thus exposing the information to anyone with a TVA\nnetwork ID; (2) shares were being used to store non-business related\ninformation; (3) TVA does not have a policy or guidance for management of\ntemporary shares to address the proper use of the share; (4) TVA does not\nhave a policy implemented regarding the level of notification required when\nPII has been compromised; and (5) two business practice drafts (a) TVA\nInformation Security Policy, which describes classification and protection of\ninformation handled throughout TVA, and (b) Acceptable Use of Information\nResources (Rules of Behavior), which explicitly prohibits storage of non-TVA\ninformation on TVA servers, have yet to be implemented.\n\nThe lack of protection of PII and other sensitive information is a violation of\nTVA policy and could result in a violation of the Privacy Act. As instances of\nquestionable items were found, we notified IS personnel who coordinated with\nthe OSO or the person who put the information on the share to determine the\nappropriate level of security to be assigned to the item. The instances\nidentified were put on the shares by individuals across multiple TVA\norganizations. The high risk items like PII information were immediately\nsecured by IS. The determination of the sensitivity of some medium to low risk\nitems is still underway by IS and the OSOs.\n\nPII AND BUSINESS SENSITIVE INFORMATION\nWe found 101 instances of PII for TVA and contractor personnel and\nbusiness sensitive information stored across the temporary shares. The\n32 instances of PII for TVA employees and contractor employees included:\n\n\xe2\x80\xa2   A database with approximately 7,900 employee names, social security\n    numbers, telephone calling card numbers, and long distance\n\nAudit 2007-10997                                                           Page 2\n\x0cOffice of the Inspector General                                        Audit Report\n\n\n    authorization codes for the nuclear plants. Further investigation indicated\n    this information was available on several occasions over the last few\n    months for up to a week each time on a temporary share.\n\xe2\x80\xa2   A database with approximately 11,000 contractor employees\xe2\x80\x99 names,\n    social security numbers, home addresses, telephone numbers, date of\n    birth, disability codes, termination status, rehire status comments, etc.\n    This database is used by a nuclear contractor to check their employees in\n    and out of the plant. Further investigation of this information indicated the\n    information has been available on a temporary share since 2004.\n\xe2\x80\xa2   Documents with names and social security numbers.\n\xe2\x80\xa2   Documents with names, social security numbers, and dosimeter readings.\n\xe2\x80\xa2   E-mails regarding disciplinary action and incident investigations.\n\nAll PII files were secured by IS upon notification. We could not determine if\nPII information had been inappropriately accessed since there is no usage\ntracking available for temporary shares.\n\nWe also found 69 instances of business sensitive information of TVA and\ncontractors stored across the temporary shares. The information included:\n\xe2\x80\xa2   TVA documents or drawings marked \xe2\x80\x9cSensitive\xe2\x80\x9d or \xe2\x80\x9cBusiness Sensitive\xe2\x80\x9d\n\xe2\x80\xa2   Contractor documents or drawings marked \xe2\x80\x9cProprietary Information\xe2\x80\x9d\n\xe2\x80\xa2   Contractor proposals\n\xe2\x80\xa2   Document marked \xe2\x80\x9cAttorney/Client Privilege\xe2\x80\x9d\n\nIn addition to the documents described above, we noted numerous instances\nof unmarked substation drawings, nuclear plant component drawings,\npictures of components in plants and substations, etc. We questioned these\nitems as potentially sensitive information that should not be available to\neveryone with a TVA ID. These documents are being reviewed by the OSOs\nto determine if access should be restricted.\n\nNON-BUSINESS INFORMATION\nWe found four incidents of shares being used to store non-business related\ninformation which included personal pictures and other documents, and\nNintendo games which could be played on a Nintendo Entertainment\nEmulator. Current Communications Practice 8, states \xe2\x80\x9cUse of all computing\nresources in TVA is to be utilized in support of legitimate TVA business\ninterests.\xe2\x80\x9d A draft business practice, Acceptable Use of Information\nResources (Rules of Behavior), provides explicit prohibitions including\n\xe2\x80\x9cStorage of non-TVA information on TVA servers and other electronic\nstorage devices.\xe2\x80\x9d According to TVA\xe2\x80\x99s IT Security organization, this draft\nbusiness practice is in the final issuance process.\n\n\n\nAudit 2007-10997                                                            Page 3\n\x0cOffice of the Inspector General                                         Audit Report\n\n\nMANAGEMENT OF TEMPORARY SHARES\nTVA does not have a policy or guidance for management of temporary\nshares to address the proper use of the share (i.e., types of information that\ncan be stored, the unsecured nature of the share), responsibilities of the\nusers, and maintenance (i.e., maximum time frame for retention of files on\nthe share). As such, we observed:\n1. Some temporary shares appear to have evolved from temporary to\n   permanent storage areas. For example, five nuclear shares store over\n   720 GB of information and have almost 2.2 million files, some of which\n   are over 10 years old. In addition, accounts for nuclear personnel are\n   automatically mapped to these shares.\n2. Two of the 20 temporary shares had a defined time for weekly deletion of\n   documents. Files could remain on the other shares until the share was\n   cleaned up by users (1) after email notification to the site that the folder is\n   full or (2) by request from site IS personnel.\n3. There was nothing to identify the shares as unsecured temporary storage\n   areas. IS put a file on one share to identify it as unsecured after PR&D\n   information was found on the share.\n\nNOTIFICATION POLICY\nWhile there is not a federal law at this time requiring notification by TVA\nwhen PII has been compromised, there is proposed legislation which would\nrequire federal agencies to notify individuals when their PII has been\ncompromised. TVA has drafted a SPP which defines the process for\nresponding to computer security and privacy incidents. TVA-SPP-12.9 on\nComputer Security and Privacy Incident Response contains (1) guidelines for\nestablishing the response team, which includes an Office of the General\nCounsel representative; (2) a risk assessment methodology for determining\nunder what circumstances a general notification and/or individual notification\nis warranted; and (3) steps to be performed when notifying. According to\nTVA\xe2\x80\x99s IT Security organization, this SPP is in the final issuance process.\n\nINFORMATION SECURITY POLICY\nTVA has drafted a Business Practice to establish TVA\xe2\x80\x99s Information Security\nPolicy. This business practice is intended to supersede the outdated\nProtection of Sensitive Information and Records policy issued on\nDecember 10, 1996. The draft business practice describes the classification\nand protection mechanisms for information handled throughout TVA.\nAccording to TVA\xe2\x80\x99s IT Security organization, this draft business practice is in\nthe final issuance process.\n\n\n\n\nAudit 2007-10997                                                             Page 4\n\x0cOffice of the Inspector General                                        Audit Report\n\n\nRECOMMENDATIONS\nWe recommend Chief Administrative Officer and Executive Vice President,\nAdministrative Services, ensure:\n\n1. OSOs and IS continue the review of the identified items and restrict\n   access as needed.\n\n2. The draft procedure TVA-SPP-12.9 on Computer Security and Privacy\n   Incident Response is implemented.\n\n3. For PII data exposures identified in this audit, general and/or individual\n   notifications are made regarding the type of data exposed and TVA\n   management\xe2\x80\x99s assessment of risk regarding the data exposures.\n   Individual notice should be given whenever PII, such as social security\n   numbers or other information which could be used in identity theft, is\n   disclosed.\n\n4. The draft business practices on Information Security Policy and\n   Acceptable Use of Information Resources and other guidance on the use\n   of temporary shares are implemented or developed and all TVA\n   employees and contractors are trained on these policies.\n\nTVA Management\xe2\x80\x99s Response \xe2\x80\x93 The Chief Administrative Officer and\nExecutive Vice President, Administrative Services, agreed with the findings\nand provided proposed corrective actions to address our recommendations\n(see the Appendix). In summary:\n\n1. OSOs and IS completed the review of the temporary shares. An\n   additional 169 instances of PII were identified. This information has been\n   moved to a secure, hidden share. TVA will be conducting a risk analysis\n   on this information. IS will institute a plan to monitor and review all share\n   drives for sensitive information. Details of this plan will be completed by\n   July 31, 2007.\n\n2. TVA is in the process of converting TVA level SPPs to TVA Procedures.\n   TVA-SPP-12.9 will become a TVA procedure on Computer Security and\n   Privacy Incident Response. Once converted, the procedure will go\n   through the standards review process and is expected to be deployed by\n   September 30, 2007.\n\n3. Even though the PII information was accessible within TVA by those with\n   an authorized TVA ID, there is no evidence to suggest that this data has\n   been acquired by an unauthorized person or disclosed outside of TVA.\n   TVA will conduct a risk analysis for all identified instances of PII and will\n   tailor its response to the nature and scope of the risk and ensure the\n\nAudit 2007-10997                                                            Page 5\n\x0cOffice of the Inspector General                                        Audit Report\n\n\n    response complies with any applicable federal regulations. These\n    assessments are expected to be completed for the original instances by\n    June 29, 2007, and the remaining instances by July 31, 2007.\n\n    Regarding notifications, TVA stated they (1) do not plan to issue\n    individual notification of the exposure of sensitive information unless the\n    risk assessments indicate a need to do so; and (2) will issue general,\n    broad notification of the incidents, including employee and, as necessary,\n    public notification. For the contractor database containing PII, TVA plans\n    to notify the contractor and ask them to inform TVA of any general or\n    individual notification the contractor makes.\n\n4. The draft business practices are currently in the IS review and comment\n   phase. The remaining implementation activities include: OSO, IT Council,\n   and SBU review, comment resolution, and deployment activities\n   (communication, publication, and training). The expected completion\n   date for full deployment is June 30, 2007.\n\n    The continued use of temporary shares is being evaluated by IS. Based\n    on this evaluation, appropriate guidance on the proper management and\n    use of temporary shares will be developed and is expected to be issued\n    to business units by June 30, 2007.\n\nAuditor\xe2\x80\x99s Response \xe2\x80\x93 We concur with management\xe2\x80\x99s proposed actions for\nrecommendations 1, 2, and 4. Regarding recommendation 3, we believe\nTVA\xe2\x80\x99s decision to perform a risk assessment to determine the level of\nnotification required is consistent with OMB guidance. We recommend TVA\n(1) issue a general notification quickly and (2) expedite the risk assessment\nprocess to ensure individual notification, if warranted, is performed in a timely\nmanner. The OIG will conduct a follow-up review after TVA completes its\nrisk assessment process. The review will determine whether TVA\xe2\x80\x99s decision\nregarding individual notification(s) was reasonable.\n\n\n\n\nAudit 2007-10997                                                            Page 6\n\x0cAPPENDIX\nPage 1 of 3\n\x0cAPPENDIX\nPage 2 of 3\n\x0cAPPENDIX\nPage 3 of 3\n\x0c'